Don't just Manage your data security posture - Elevate it!!

Data Protection is HARD!!

Well, this is not the first time you have heard this phrase within the security practitioner community or from various security vendors. Data protection is a discipline and a framework, and covers multiple areas - it spans from establishing a solid data governance model, in terms of understanding what data you are collecting; consent around the data you are collecting; transparency about the usage of the data for your legitimate business needs; data storage services and their locations; data retention; identity & access management policies and processes; form or state of the data while getting stored; data sharing; protection of the data - while at rest, in transit, and in use; logging and monitoring the activities; backups and replication; sovereignty, et. al. So you can imagine why this is hard and why enterprises often struggle with most of these areas - especially having an understanding of their data. Interestingly and often to their peril, they think they have the protection part covered, which they don’t (which is another article and discussion for another day).

About me

Over the last 10 years of my career of 23 years, I've been practicing data protection and started my stint in data security way before data protection or privacy regulations such as the General Data Protection Regulation, a.k.a. GDPR, or CCPA came into force. My career within Cyber Security started with running an enterprise Data Protection Program, where I was responsible for all cryptographic utilities and services that enabled the enterprise to encrypt endpoints (disks for PCs and Macs), sensitive emails, files, and data fields using various key management, encryption, and tokenization technologies. As I moved on to other organizations, I extended my responsibilities to handle additional capabilities such as PKI, Payments Tokenization, P2PE, CASB, Database Encryption, et al. Later in my career, I had the opportunity to move on to the vendor side of the table, where I headed Product Management for a very popular and widely used data security solution suite in the industry. And in my last couple years, I expanded into the privacy rights management and data governance space, using various solutions and services to handle data subjects’ rights, data discovery & classification, access intelligence, data lineage, etc.

Every company is a data company!!

With the data explosion across all fronts of our life, rapid cloud adoption, the advent and ubiquitous expansion of artificial intelligence, and enterprises leveraging Generative AI tools in order to enhance, optimize, and expand their business processes - we are in the age of data and in an era which has created significant challenges for the security practitioners and businesses to ensure data is managed, governed, protected, and handled adequately and responsibly.

Data Security Posture Management (DSPM)

A relatively newer market segment, called DSPM, which typically involves discovery & classification of data, obtaining access intelligence on the data, understanding data lineage and flows, and then report on those findings, has evolved. You could see a mix of seasoned tech companies (expanding into this area) and rapidly growing start-ups focusing on this specific domain (backed by a lot of funding from investors), occupying this space. I've evaluated and worked with various DPSM solutions and services that are available in the market, and much like the Data Encryption/Tokenization segment (often referred to as the Data Masking segment by most analyst firms), the DSPM segment is quite competitive (although not as mature and tenured as the Data Masking segment).

DSPM Solutions & Services

Quite a few of these DSPM solutions and services actually do a good job for certain data types and data stores, versus others. Study shows typically 80% of the enterprise data is unstructured, and it’s known that unstructured data is more difficult to manage. A lot of the vendors prioritize their support on unstructured data sources, whereas few are covering structured data sources as well. The market is still maturing in the aspect of broad coverage across multiple data stores and the features they offer with each. Even services that are offered by cloud service providers are still in their initial maturity phase of providing valuable insights across the data storage services that they offer themselves. They either have a very good coverage for specific data storage service(s), while for others, they are still in there alpha/beta or preview stages. In some cases, they have some limitations in terms of how much data they can scan, what sort of data categorization or classification they can offer, and what valuable insights they can provide. A lot of vendors/service providers claim and/or promise the usage of AI/ML for their data classification feature, however it’s an oversold term - as in reality and in majority of cases it’s glorified pattern matching (read - regex) technique and involves significant tuning exercise for the enterprise teams to enhance the quality of data classification.

Disclaimer - I am not an analyst, nor I have ever worked for any of the analyst firms, and my views are entirely my own, and strictly based on a decade long hands-on experience and in-depth learning as an enterprise customer and security practitioner.

If it’s not automated, its broken!!

In a nutshell, regardless of how much information (and in whatever degree of accuracy, adequacy, relevance) these data security posture management solutions and services provide, the buck stops at the point when these findings are essentially reported to some form of a monitoring or ticketing system, or a repository. Then it's up to the enterprises to take notice of what has been reported as findings, then make an assessment in terms of what seems to be more critical or of concern and that needs to be remediated from a risk perspective. Here is where the process automation essentially takes a break; and people, processes and manual intervention take over.

Once these findings are reported, it's up to the enterprise business IT and/or security teams to mine through the significant volume of information that has been produced, cleanse them, decipher and assess them, identify the high priority or critical ones, then make decisions for remediation, and then (hopefully) take action. This could practically take several weeks or months. At the end of the day, the identified risks haven't organically or automatically transitioned into remediation phase. So, you could essentially call it managing your data security posture by having a good understanding of everything that's out there, but you are not able to manage it effectively to the point of where the risks, as and when they are discovered or identified, are remediated.

From Manage to Elevate!!

Of course, not all risks are the same and hence the level or the extent of security controls that would need to be implemented to ensure the inherent risk reduces to a residual risk that is acceptable or under the tolerance level of the organization, won’t be the same either for each identified risk. So that takes creating a risk-based data protection model and coupled with that model comes the need for automatic implementation of security controls - that's where Data Security Posture Management (DSPM) is effective, and transitions or extends into, a term we can coin as, Data Security Posture Elevation (DSPE). In my next article, I would expand more some real implemented use cases that I have driven and implemented to automatically transition from identifying and reporting risks to remediating them, touch upon the various data security controls for DSPE, the challenges with them, why enterprises struggle to elevate into a data-centric security model, and where the optimizations can come into place.

Until then....